When searching for Wi-Fi networks, iOS8 devices can hide their true identities.

Share this story

Enlarge/ Until iOS 8 gets here, you might consider turning off Wi-Fi in iOS 7 while you're out in public.

Quartz is reporting a change to how iOS 8-equipped devices search out Wi-Fi networks with which to connect. The new mobile operating system, which is on track for a release in the fall, gives iOS 8 devices the ability to identify themselves not with their unique burned-in hardware MAC address but rather with a random, software-supplied address instead.

This is a big deal. As part of the seven-layer burrito OSI networking model that all networked devices these days conform to, every device that has a network interface has a unique MAC address—that stands for "Media Access Control." MAC addresses are used at layer 2 of the OSI model and help network switches (wired or wireless) determine which device is transmitting packets and which device should be receiving those packets; by design, MAC addresses are unique and no two networking interfaces should ever have the same one. Because wireless Ethernet adapters like the ones in smartphones broadcast their MAC addresses as part of their "hey, is there any Wi-Fi out here?" probe, MAC addresses provide one easily accessible unique identifier to track people as they walk through a public space. As Quartz notes, "Companies like Euclid or its peer Turnstyle Solutions use the data to track footfall in stores, how people move about in shops, how long they linger in certain sections, and how often they return."

The MAC address used for Wi-Fi scans may not always be the device's real (universal) address

This ought to throw a pretty significant wrench into some advertisers' and marketers' plans—if iOS 8 devices broadcast their Wi-Fi probe requests under constantly shifting unique MAC addresses, tracking devices across stores or other venues by MAC address becomes impossible. A significant amount of behavioral inferences (and thus valuable marketing metadata) can be drawn from location maps built out of MAC address detection over time, and obfuscating this information is a big step toward increasing iOS users' privacy.

However, it's difficult to class this as a wholly altruistic move on Apple's part. The company has its own location-based service that can be used to track users and issue alerts (or ads) to iOS devices—it's called iBeacon, and it's built in to all current-generation iOS devices. Rather than using a device's MAC address, iBeacon uses low-energy Bluetooth to enable specific iBeacon-aware apps on an iOS device to serve ads or notifications based on the device's location and proximity to iBeacon transmitters. iBeacon doesn't have quite the same goal as MAC address-based location tracking (iBeacon transmitters, for example, don't receive data from devices), but when coupled with iBeacon-aware apps that can watch a device's position, just as many privacy-invasive inferences about a person's habits can be made.

In adding MAC address randomization during Wi-Fi probing, Apple manages to both eliminate a potential privacy leak and drive companies interested in location-based advertising toward a solution it prefers. iOS users who would prefer to opt out of iBeacon can first ensure they have no iBeacon-aware apps installed (like the official Apple Store app), or they can disable Bluetooth. Until iOS 8 arrives, iOS 7 users who would prefer not to have their MAC addresses tracked in public can disable Wi-Fi when they're out and about.

Update: The source for Frederic Jacobs' tweet is the slide deck for WWDC session 715, "User Privacy on iOS and OS X," presented by Apple Product Security and Privacy representatives David Stites and Katie Skinner.

Share this story

Lee Hutchinson
Lee is the Senior Technology Editor at Ars and oversees gadget, automotive, IT, and culture content. He also knows stuff about enterprise storage, security, and manned space flight. Lee is based in Houston, TX. Emaillee.hutchinson@arstechnica.com